[hansvm]

I was at an org who started using Okta a few years ago (left a few months later, unrelated). Among the issues, it wasn't confidence inspiring that the policies that org set (like requiring the Okta app for 2FA rather than TOTP, or enforcing certain properties about the passwords you're allowed to use) were only enforced in the browser and could easily be circumvented by just sending an appropriate request. Maybe they're fine otherwise, but my rule of thumb is that every security-critical single-point-of-failure like Okta will have major problems, and they certainly haven't presented enough evidence to sway that opinion.